Looking up the value defined in the hiera.yaml
239 views
Skip to first unread message
Go Iwai
Nov 23, 2020, 10:41:45 AM11/23/20
to puppet...@googlegroups.com
Hello,
I am writing this to ask you if/how I can lookup values defined in the
hiera.yaml.
My hiera.yaml looks like:
hierarchy:
- name: "sensitive data"
lookup_key: eyaml_lookup_key
path: sensitive.eyaml
options:
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
I would like to lookup the location for the keys from the yaml file.
Because I need to decrypt some files like:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
--pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
It looks more natural if I could rewrite this line above like below:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=%{pkcs7_public_key}
--pkcs7-private-key=%{pkcs7_private_key}
Please let me know if there is any way to realise this. I would
appreciate so much if anybody could give me advice or suggestion.
Kind regards,
Go
I am writing this to ask you if/how I can lookup values defined in the
hiera.yaml.
My hiera.yaml looks like:
hierarchy:
- name: "sensitive data"
lookup_key: eyaml_lookup_key
path: sensitive.eyaml
options:
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
I would like to lookup the location for the keys from the yaml file.
Because I need to decrypt some files like:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
--pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
It looks more natural if I could rewrite this line above like below:
eyaml decrypt --file=encrypted-file
--pkcs7-public-key=%{pkcs7_public_key}
--pkcs7-private-key=%{pkcs7_private_key}
Please let me know if there is any way to realise this. I would
appreciate so much if anybody could give me advice or suggestion.
Kind regards,
Go
Dirk Heinrichs
Nov 23, 2020, 10:55:31 AM11/23/20
to puppet...@googlegroups.com
Am Montag, den 23.11.2020, 15:23 +0900 schrieb Go Iwai:
It looks more natural if I could rewrite this line above like below:eyaml decrypt --file=encrypted-file--pkcs7-public-key=%{pkcs7_public_key}--pkcs7-private-key=%{pkcs7_private_key}
I don't think you need to specify these options at all if everything is configured correctly. I have the following hiera.yaml in my Puppet environments:
---
version: 5
defaults:
datadir: hiera
lookup_key: eyaml_lookup_key
hierarchy:
- name: Main
options:
pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
paths:
version: 5
defaults:
datadir: hiera
lookup_key: eyaml_lookup_key
hierarchy:
- name: Main
options:
pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
paths:
- ...
- common.yaml
With this in place I can simply type "eyaml edit common.yaml" or "eyaml encrypt -s 'something'", w/o specifying the keys every time.
HTH...
Dirk
--
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhei...@opentext.com
Website: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
Go Iwai
Nov 30, 2020, 11:15:25 AM11/30/20
to Puppet Users
Hello Dirk,
Thank you for replying to the mail. However, your code doesn't work for the resource of exec like below:
exec { '/path/to/decrypted-file':
command => 'eyaml decrypt --file=/path/to/encrypted-file > /path/to/decrypted-file',
# ...snip
}
This generates a notice like:
Notice: /Stage[main]/xxx::zzz/Exec[/path/to/decrypted-file]/returns: [hiera-eyaml-core] No such file or directory @ rb_sysopen - ./keys/private_key.pkcs7.pem
I can workaround this if I gave the directory, where keys are located, to an attribbute of cwd like:
cwd => /etc/puppetlabs/code,
# pkcs7_private_key: '/etc/puppetlabs/code/keys/private_key.pkcs7.pem'
# pkcs7_public_key: '/etc/puppetlabs/code/keys/public_key.pkcs7.pem'
I gratefully thank for any further advises.
Kind regards,
Go
2020年11月24日火曜日 0:55:31 UTC+9 Dirk Heinrichs:
Martin Alfke
Nov 30, 2020, 1:44:51 PM11/30/20
to Puppet Users
Hi Go,
> On 24. Nov 2020, at 00:06, Go Iwai <go....@kek.jp> wrote:
>
> Hello Dirk,
>
> Thank you for replying to the mail. However, your code doesn't work for the resource of exec like below:
>
> exec { '/path/to/decrypted-file':
> command => 'eyaml decrypt --file=/path/to/encrypted-file > /path/to/decrypted-file',
> # ...snip
> }
You want to create a file based on eyaml encrypted content.
That means that you must ensure that eyaml is installed on any system which receives the exec resource.
A better solution is to use class parameters:
class xxx::zzz (
String $content,
){
file { '/path/to/decrypted-file':
ensure => file,
content => $content,
}
}
And then have the encrypted file content in hiera:
xxx::zzz::content: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAmporEXibvTRjR+81UCj7xHmSLk9bQw91jETE
PXcdlpvs6g4YqJUy+D8H0F2puVeVDFcpXBKSzv29NYzjZS7ZiJj/SezB+rRu
9Duk57tUW2Ly+ECuTwZCwkjKuDuY6XLQXayRGP39dxS+gCvJiNwxHN2i3XRG
m+S/vqkQVJITT6Etra8XWgsVdF0XqBDDcqRnF60xr7vk4sQq/RujFyV9+/hr
gw/qnKFfewdb27TkRCO9eHp00jEfTdHrg/GrhMkv/BfcodMuuqiSh/EfWPfG
8MPrPmSSAHktgKY81/lPHiz73OAaf7p7HSSclWpCUYUHiHGsi6gPLN9e3PoY
Br4TmjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBxlWjEC2Ij08R/N7Vo
63EagBB6T4EMZSB/2E6dW8NFQP7o]
hth,
Martin
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8e51cbb0-02bd-4999-b89b-ea656c139018n%40googlegroups.com.
> On 24. Nov 2020, at 00:06, Go Iwai <go....@kek.jp> wrote:
>
> Hello Dirk,
>
> Thank you for replying to the mail. However, your code doesn't work for the resource of exec like below:
>
> exec { '/path/to/decrypted-file':
> command => 'eyaml decrypt --file=/path/to/encrypted-file > /path/to/decrypted-file',
> # ...snip
> }
That means that you must ensure that eyaml is installed on any system which receives the exec resource.
A better solution is to use class parameters:
class xxx::zzz (
String $content,
){
file { '/path/to/decrypted-file':
ensure => file,
content => $content,
}
}
And then have the encrypted file content in hiera:
xxx::zzz::content: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAmporEXibvTRjR+81UCj7xHmSLk9bQw91jETE
PXcdlpvs6g4YqJUy+D8H0F2puVeVDFcpXBKSzv29NYzjZS7ZiJj/SezB+rRu
9Duk57tUW2Ly+ECuTwZCwkjKuDuY6XLQXayRGP39dxS+gCvJiNwxHN2i3XRG
m+S/vqkQVJITT6Etra8XWgsVdF0XqBDDcqRnF60xr7vk4sQq/RujFyV9+/hr
gw/qnKFfewdb27TkRCO9eHp00jEfTdHrg/GrhMkv/BfcodMuuqiSh/EfWPfG
8MPrPmSSAHktgKY81/lPHiz73OAaf7p7HSSclWpCUYUHiHGsi6gPLN9e3PoY
Br4TmjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBxlWjEC2Ij08R/N7Vo
63EagBB6T4EMZSB/2E6dW8NFQP7o]
hth,
Martin
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8e51cbb0-02bd-4999-b89b-ea656c139018n%40googlegroups.com.
Go Iwai
Dec 6, 2020, 7:37:37 PM12/6/20
to puppet...@googlegroups.com
Hello Martin,
Thank you for letting me know of another way.
Yes - using the content property within the file resource and
interpolate from hiera could be another option for what I want to do.
However, I want to change the content property each hostname. Which
means every host has individual content. In that context, I have to
create very long hiera like:
xxx::zzz:
host-1: >
ENC[...snip #
host-2: >
ENC[...snip #
...snip
...then lookup(xxx::zzz.%{facts.fqdn}). # this violates in puppet
Instead, using eyaml in the exec resource like below is a slightly
easy way to write:
exec { '/path/to/decrypted':
command => "eyaml decrypt --file=/path/to/$::facts['fqdn']/encrypted
> /path/to/decrypted'",
cwd => '/path/to/dir/to/keys',
...snip
}
Thank you very much for your help.
Kind regards,
Go
> You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/Mvau4uw8XHY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/A4F93322-D105-4219-9436-9DDB152DC4B8%40gmail.com.
Thank you for letting me know of another way.
Yes - using the content property within the file resource and
interpolate from hiera could be another option for what I want to do.
However, I want to change the content property each hostname. Which
means every host has individual content. In that context, I have to
create very long hiera like:
xxx::zzz:
host-1: >
ENC[...snip #
host-2: >
ENC[...snip #
...snip
...then lookup(xxx::zzz.%{facts.fqdn}). # this violates in puppet
Instead, using eyaml in the exec resource like below is a slightly
easy way to write:
exec { '/path/to/decrypted':
command => "eyaml decrypt --file=/path/to/$::facts['fqdn']/encrypted
> /path/to/decrypted'",
cwd => '/path/to/dir/to/keys',
...snip
}
Thank you very much for your help.
Kind regards,
Go
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/Mvau4uw8XHY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/A4F93322-D105-4219-9436-9DDB152DC4B8%40gmail.com.
Reply all
Reply to author
Forward
0 new messages